Skip to main content
Version: 3.17 (latest)

Failsafe rules

To avoid completely cutting off a host via incorrect or malformed policy, Calico Enterprise has a failsafe mechanism that keeps various pinholes open in the firewall.

By default, Calico Enterprise keeps the following ports open on all host endpoints:

22TCPInboundSSH access
53UDPOutboundDNS queries
67UDPOutboundDHCP access
68UDPInboundDHCP access
179TCPInbound & OutboundBGP access (Calico networking)
6443TCPInbound & OutboundKubernetes API server access

The lists of failsafe ports can be configured via the configuration parameters FailsafeInboundHostPorts and FailsafeOutboundHostPorts described in Configuring Felix. They can be disabled by setting each configuration value to "none".


Removing the inbound failsafe rules can leave a host inaccessible.

Removing the outbound failsafe rules can leave Felix unable to connect to the datastore.

Before disabling the failsafe rules, we recommend creating a policy to replace it with more-specific rules for your environment: see Creating policy for basic connectivity.